Loading

Part 3 – Can the CISO have their cake AND eat it?

Why should the CISO care? And what are the security benefits of Zero Trust?

As we’ve already described it’s a more agile/mobile way to secure your infrastructure and takes the metaphorical perimeter – right to the endpoint.

But there are other benefits aplenty;

Aligning the Security function with the business for the win

There are several ways you could describe this, whether it was moving to a DevSecOps model, shifting security left, shared responsibility, automating/integrating security and I’m sure a few more I’m not thinking of right now.

But whatever you call it or however you decide to cut it, breaking security (certainly at an operational level) out of a silo that often has a bad image, are seen as blockers, unconstructive and most importantly – disincentivised – to facilitate successful technology outcomes, benefits the business.

 

For Zero Trust to be effective and successful it will need to be part of the culture of continuous delivery. In fact it should be an enabler for that.

 

Designing applications with Zero Trust in mind will alleviate (eradicate is a bit too definitive for my liking) the reoccurring scenario of the Security team rearing its head and raising issues late in a project.

 

So the benefit is optimised speed/cadence of deployment and the business adding new features, functionality and capability ahead of their competitors. This means security are hopefully viewed in a far more positive light!

 

Look, here’s a picture of a Happy Armadillo:

Continuous Contextual Access Control

Humans right? The weak link in the Security chain because they click on stupid links, enter their credentials into fake websites and their devices and accounts get compromised?

We’ve all heard it said many times and there’s another debate and fresher way of thinking that revisits that mindset and negative view and engagement with our colleagues but is way out of scope of this article.

A Zero Trust model can mitigate these compromise situations by denying access requests to applications based on the geo-location or device ID originating the request.

Another consequence of a successful phishing attacking is a ransomware payload being dropped onto your infrastructure. Again, a Zero Trust/Micro-Segmentation architecture comes to the rescue preventing the spread beyond a single device due to the access and authorisation required between every workload.

 

Micro-Segmentation

Separation is a security principle as old as time. Going back to Armadillos and Castles & Moats, this was simply separating the ‘trusted’ network from the ‘untrusted’ wild west that was/is the internet.

Then within that we further separated tiers & domains, legacy systems, bastion hosts, the corporate network and possibly by departmental function too.

So from the concept of separating things (with the intent of restricting free or lateral movement around an internal network) it’s similar but that’s where it ends. That was about placing security controls as close to what it is you’re trying to protect as possible.

With Zero Trust the security control is applied as close to the origin as possible, i.e the endpoint or the edge. If they don’t comply with the policy for that service, application or specific request, then there is no access, the device simply doesn’t participate on the network at any level.

By designing with Micro-Segmentation in mind, security policies can be enforced at a level as granular as each workload.

Increased Telemetry = Visibility

What are you going to do with all those extra logs and events from the data points?

Hopefully not get overwhelmed is definitely a consideration so tuning out events of either no security value and/or false positives is key. Now would be a great time to consider your SOAR (Security, Orchestration, Automation & Response) capability and ensure that this and the SOC are fully onboard the good ship Continuous Security and these areas will be greatly enriched.

Designing the security controls and checkpoints in-line with the MITRE ATT&CK matrix will also provide an excellent framework for capturing and alerting on what you need alert on and anticipate/defend against.

BYOD Support

If you have a whopping great risk on the Security Risk Register relating to business data being access from non-managed devices Zero Trust can definitely help with that. 

By continually assessing data relating to the status of the user, device, apps and data, access & authorisation can be provisioned, denied or verified further in real-time, based on your risk appetite and tolerance.

Skills Shortage

By reducing the complexity of the security stack and engendering the shared ownership of solid security outcomes with DevOps, the need for a wide range of skills across different vendor solutions diminishes greatly.

The Security SRE (Site Reliability Engineer) may well become a more broadly acknowledged role in its own right, embedded deeply within the DevOps teams and fully engaged in the entire pipeline.

There are many other benefits to challenges such as compliance, customer data privacy, innovation, supply chain security and much more. I think you could make a case for a comprehensive Zero Trust model improving things in any security domain – and beyond.

Zero Trust is of course a ‘term’ largely driven by marketeers and vendors with products to sell and nobody should believe Zero Trust = Zero Risk.

While we have technology and internet connectivity (well we do at the moment but never know what else 2020 has in store at this point!) there is always risk but what we can do significantly with a Zero Trust model is reduce the likeliness of a breach occurring and limit the blast radius of such an occurrence resulting in raising the cost to the attacker.

So business benefits and optimised security?

That’s a win….

More Posts:

CloudKubed Digital Transformation & Cloud Experts

GET IN TOUCH